Improved Non-Committing Encryption with Application to Adaptively Secure Protocols

joint work withDana Dachman-Soled (Columbia Univ.),

Tal Malkin (Columbia Univ.), andHoeteck Wee (CUNY, Queens College)

Seung Geol Choi Columbia University

2

Outline

• Motivation

• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring

• Conclusion

• Semi-honest vs. Malicious– corrupted parties behave honestly or– arbitrarily

• # corrupted parties– Honest majority vs. dishonest majority.

• Static vs. Adaptive [CFGN96]– corrupts parties are determined at the outset

or– during the protocol adaptively

Adversarial corruption in MPC

More Realistic Assumption on the Adversary

Black-box construction of Adaptively secure MPC with Dishonest Majority

MPC

Adaptively secureoblivious transfer

[IPS08]

(Aug.) NC-PKE

[CLOS02, CDMW09]

Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)?

- Of theoretical interest- More efficient: avoid general NP reductions incurred by ZK proofs.

Non-Committing Encryption (NCE) [CFGN96]

• Encryption that realizes a secure channel against an adaptive adversary– (Possibly interactive) encryption: (Gen, Enc, Dec)– with additional property: SIM

• SIM generates pairs of (e, c) that opens to 0 and to 1.(sender equivocal & receiver equivocal)

Enc(0) Enc(1)

Non-Committing Public Key Encryption (NC-PKE)

• Two-round NCE– Bob sends his pk to Alice– Alice sends an encryption under pk to Bob– Desirable

Goal

Construct (Aug.) NC-PKE from lower primitives

in a black-box manner.

MPC

Adaptively secureoblivious transfer

[IPS08]

(Aug.) NC-PKE

[CLOS02, CDMW09]

8

Outline

• Motivation

• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring

• Conclusion

Known NCE Constructions

[B97,DN00]

[CFGN96]

NC-PKESimulatable

common domain TDPCDHRSA

3-round NCE

Simulatable PKEDDH

LWE[GPV08]

Main Result• Construct NC-PKE from trapdoor Simulatable PKE

– Relaxed notion of simulatable PKE– First NC-PKE from LWE

• Construct trapdoor simulatable PKE from hardness of factoring– First NC-PKE from Factoring

Trapdoor simulatable PKE

NC-PKESimulatable

common domain TDPCDHRSA

3-round NCE

Simulatable PKEDDHLWE

Factoring

Our Contribution

From LWE and factoring, first black box constructions of– NC-PKE– Adaptively secure OT– Adaptively secure MPC with

dishonest majority

MPC

Oblivious Transfer[CLOS02,CDMW09]

[IPS08]

(Aug.) NC-PKE

LWEFactoring

TrapdoorSimulatable PKE

12

Outline

• Motivation

• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring

• Conclusion

Simulatable PKE [DN00]

• PKE (Gen, Enc, Dec) with additional properties– Property 1: Oblivious Sampling

• oGen: generates a random pk w/o learning about its sk

• oRndEnc: generates a random ciphertext w/o learning about its plaintext

• E.g. ElGamal:– key: (y = gx, x) Pick random y in G

– Enc: (gr, m*yr) pick random (c1, c2) from G

Simulatable PKE [DN00]

• Property 2: Invertibility– rGen

• Input: a normally-generated pub-key e,

• Output: randomness rG s.t. oGen(rG) = e

– rRndEnc• Input: a normally-generated key and ciphertext (e,c)

• Output: randomness rE s.t. oRndEnc(e,rE) = c

– E.g. ElGamal:• key: y from (y = gx, x) Output y

• Enc: y and (c1, c2) from (y,x) and (gr, m*yr) Output (c1, c2)

– Property 1: Oblivious Sampling• oGen: generates a random pk w/o learning about its sk• oRndEnc: generates a random ciphertext w/o learning about its plaintext• E.g. ElGamal:

– key: (y = gx, x) Pick random e in G

– Enc: (gr, m*yr) pick random (c1, c2) from G

Trapdoor

Trapdoor

+ randomness for Gen

+ randomness for Gen,End & plaintext

NCE from (trapdoor) simulatable PKE

• Need to construct SIM that generates ciphertexts that open to both 0 and 1.

• General Idea: SIM lies about obliviousness.– Protocol specifies some pk’s and ciphertexts

should be generated obliviously.– SIM knows everything (all the pk’s and

ciphertexts are generated by normal Gen, Enc).– SIM: clever lies on the set of obliviously

generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.

Toy Construction [DN00,KO04] - 1

• Key Gen: (pk0, pk1) – For a random x,

pkx Gen()pk1-x oGen()

• Encrypt. of a bit b: (c0, c1)– For a random y,

cy Enc(b), c1-y oEnc()

• Decryption of (c0, c1): – Output Dec(skx, cx)

c0c1

x = y

b?

pk0 pk1

x y Decryption error = ¼

( Can reduce by repetitions)

Toy Construction [DN00,KO04] - 2

• Secure for adaptive corruption for one party

– Disclaimer: Need to handle decryption error ¼ • If both corrupted?

1 0

Corrupt S: m = 1

1 0

Corrupt R: m = 0

1 0

1 0

Corrupt R

1 0

x is fixed ( x = y ).

Corrupt S

1 0

No events such as

The Idea to achieve NC-PKE

• Summary of the toy construction– R knows half of secret keys – Handles adaptive corruption of one party

[KO04]– Cannot handle corruption of both parties:

lack of freedom to simulate the secondly corrupted parties.

• To handle corruption of both parties– Raise the fraction of obliviousness– ¾ is good enough

The Construction

• KeyGen: (e1,…,e4k)– T: random set of size k

if x∈T, ex Gen()else ex oGen()

• Enc of b: (c1,…,c4k)– S: random set of size k,

if y∈S, cy Enc(bk), else cy oEnc()

• Dec of (c1,…,c4k): If Dec(skT, cT) contains 0k output 0. Else output 1

k = 2

Decryption error

= +

Summary: NCE-PK from (trapdoor) simulatable PKE

• Obliviousness– ¾ of keys and ciphertexts are generated

obliviously.– Still, we get negligible decryption error by

repetitions.– SIM can generate a (e,c) pair that opens to 0

and 1• Keys and ciphertexts are generated normally.• Using (trapdoor) invertibility, fake on obliviously

generated sets.

21

Outline

• Motivation

• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring

• Conclusion

Trapdoor Simulatable PKE from Factoring

• There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f,– Gen() (e, d) : e = f, d = f-1

– Enc(b) (f(x), r, (x · r) b): where r, x is random. • Construct TDP from hardness of factoring

Blum Integers (BI) with oblivious sampling and trapdoor invertibility

Rabin’s TDP for Blum Integers

• Quadratic Residues on a Bl integer N: QRN = {y : y = x2 , x Z∈ N*}

• Rabin TDP– f:QRN QRN

– f(x) = x2 mod N– Is based on hardness of factoring assumption

Basic Idea: for Keys

• Key Generation: sample k3 k-bit integers w/ factoring [Bach ’88]

• Encryption of b given keys (N1, …, Nk3)

– EncN1(b1), …., EncNk3(bk3)

where b = b1 … bk3

– WHP, at least one Ni is BI.

• Oblivious sampling: easy (sample k3 integers)• Trapdoor Invertibility: easy

Basic Idea : for Ciphertexts

• Change TDP description slightly– QN = {a2k : a Z∈ N*} where k = |N|

– f: QN QN , f(x) = x2k+1 mod N

• Oblivious sampling: easy (sample from QN)

• Trapdoor Invertibility: find random 2k-th root w/ factoring

26

Outline

• Motivation

• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring

• Conclusion

Conclusion

From LWE and factoring, first black box constructions of– NC-PKE– Adaptively secure OT– Adaptively secure MPC with

honest minority

MPC

Oblivious Transfer

[CLOS02,CDMW09]

[IPS08]

(Aug.) NC-PKE

LWEFactoring

TrapdoorSimulatable PKE

Thank you